azorult | dec6b08ad93d22660e040ff56d4a6523428243741af91d0980efd00dc2521951

Analysis

max time kernel
173s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

011ea7874d4283dd836277fa880e228b.exe
Size

704KB
MD5

011ea7874d4283dd836277fa880e228b
SHA1

990de8c5104409e38bc9c33d246db07003c96dd0
SHA256

dec6b08ad93d22660e040ff56d4a6523428243741af91d0980efd00dc2521951
SHA512

06eda2f49680311c9d70015adfc0f05c3fadb92cde9d984a6852b088aafc1f39694e46dd97ecca19e97e42c22590d92b1e9a359d246227459350156d7feb7cfa
SSDEEP

12288:FICNfU0r7Eimtj3QlxV5Ka4vbV124x7aWtO3RlUG5c4RFSIkuW8:pU0nEbj8NKa4P7O0KjRFC8

Score

10^/10

azorult oski zgrat infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

azorult

http://195.245.112.115/index.php

Extracted

Family

oski

hsagoi.ac.ug

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect ZGRat V1 35 IoCs

resource	yara_rule
behavioral2/memory/4388-11-0x00000000072A0000-0x0000000007364000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-12-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-21-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-31-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-35-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-33-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-43-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-51-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-59-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-63-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-71-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-75-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-73-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-69-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-67-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-65-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-61-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-57-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-55-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-53-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-49-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-47-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-45-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-41-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-39-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-37-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-29-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-27-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-25-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-23-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-19-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-17-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-15-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/4388-13-0x00000000072A0000-0x000000000735F000-memory.dmp	family_zgrat_v1
behavioral2/memory/3492-2000-0x0000000006D50000-0x0000000006DC8000-memory.dmp	family_zgrat_v1

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	011ea7874d4283dd836277fa880e228b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
532	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
3508	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4388 set thread context of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 3492 set thread context of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3120	3508	WerFault.exe	109
3708	3508	WerFault.exe	109

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings	011ea7874d4283dd836277fa880e228b.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4388	011ea7874d4283dd836277fa880e228b.exe
4388	011ea7874d4283dd836277fa880e228b.exe
3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4388	011ea7874d4283dd836277fa880e228b.exe
Token: SeDebugPrivilege	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4388 wrote to memory of 4628	4388	011ea7874d4283dd836277fa880e228b.exe	101
PID 4388 wrote to memory of 4628	4388	011ea7874d4283dd836277fa880e228b.exe	101
PID 4388 wrote to memory of 4628	4388	011ea7874d4283dd836277fa880e228b.exe	101
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4388 wrote to memory of 1464	4388	011ea7874d4283dd836277fa880e228b.exe	102
PID 4628 wrote to memory of 3492	4628	WScript.exe	103
PID 4628 wrote to memory of 3492	4628	WScript.exe	103
PID 4628 wrote to memory of 3492	4628	WScript.exe	103
PID 3492 wrote to memory of 532	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	108
PID 3492 wrote to memory of 532	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	108
PID 3492 wrote to memory of 532	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	108
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3492 wrote to memory of 3508	3492	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	109
PID 3508 wrote to memory of 3120	3508	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	113
PID 3508 wrote to memory of 3120	3508	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	113
PID 3508 wrote to memory of 3120	3508	Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe	113

C:\Users\Admin\AppData\Local\Temp\011ea7874d4283dd836277fa880e228b.exe
"C:\Users\Admin\AppData\Local\Temp\011ea7874d4283dd836277fa880e228b.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Fyxzojheuxzdxbqlgokhton.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
    "C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
      C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
      4⤵
      Executes dropped EXE
      PID:532
  - - C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
      C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 964
        5⤵
        Program crash
        
        PID:3120
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3508 -s 964
        5⤵
        Program crash
        
        PID:3708
- C:\Users\Admin\AppData\Local\Temp\011ea7874d4283dd836277fa880e228b.exe
  C:\Users\Admin\AppData\Local\Temp\011ea7874d4283dd836277fa880e228b.exe
  2⤵
  PID:1464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3508 -ip 3508
1⤵
PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Fyxzojheuxzdxbqlgokhton.vbs

Filesize
121B

MD5
57d2e626d7a3f6ec32a9cedf0792c5b9

SHA1
f460923c6d4e57cbba8716027df4caa6d41f7f1f

SHA256
14920ae1c88247e4e2b9910be2cd5c465e0295962b5687057c368711a39f802f

SHA512
a2efcb2576f11801779c052fd858260e9110a5120b5cb4d4d3b7f0f1e22f7fb4ad80132f3da70c5ed51c400b3132fee7c63171d6b2ef76503551fa94ca1f4011

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Filesize
101KB

MD5
47bdc2e60c0a2b04fe656ce4cfac1dda

SHA1
df84420171c74abf61f994d77584182755fae366

SHA256
176c3811b714258f1ec705fd2bc8d84f887e0942af8fcf202f819bc21b5f63d4

SHA512
7383b41df4f246295840363b406ac1448ec043af20b4556a2125cbba75bc13653aba5d04a8aad9ac80217cf3e54e8ee58a21b45aa835d41a9122bc965020308c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Filesize
82KB

MD5
b25abaf81e863a24c57e34770969f792

SHA1
fa9b379b4c342ac8c77d2118718194303b880ce4

SHA256
d4d1df252e5d24fcdcb4c4780e53e7d41c9fba6a306b0363510b5fc40367df1b

SHA512
ae95dbe2fa0c19a6bc7a02011b94ee066f1736bd5dba2c3d9e7011326643e8df357b6ad6e62852aa64a7f42f3754977839f78cea8cf066f5d7f9ac7c78df2cab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zhmvsxlfcxwvbtywomhtfconsoleapp18.exe

Filesize
397KB

MD5
f5e11b62f485aa1e95073c665a147cd2

SHA1
d71acedc812f72756b756e23fbc5c756d163ad48

SHA256
1b466bd2985862702ab9fb242e0c79e27dd2c4b4c676d9ba44d6bef3e93b1534

SHA512
df152055bb196822c638cf0a824907884076ebb65200535362d545a1d5c78e29631c8cef2651c1a944e43ac74b554ec4156efe36acf3465824a96f37e28fed96

Download Submit
memory/1464-1992-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1464-1998-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3492-1999-0x0000000005DB0000-0x0000000005E0E000-memory.dmp

Filesize
376KB

Download
memory/3492-2000-0x0000000006D50000-0x0000000006DC8000-memory.dmp

Filesize
480KB

Download
memory/3492-2132-0x0000000073680000-0x0000000073E30000-memory.dmp

Filesize
7.7MB

Download
memory/3492-2881-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3492-1997-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/3492-1996-0x0000000073680000-0x0000000073E30000-memory.dmp

Filesize
7.7MB

Download
memory/3492-1995-0x0000000000770000-0x00000000007DA000-memory.dmp

Filesize
424KB

Download
memory/3492-4380-0x0000000073680000-0x0000000073E30000-memory.dmp

Filesize
7.7MB

Download
memory/3508-4379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3508-4383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4388-53-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-25-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-51-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-59-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-63-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-71-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-75-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-73-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-69-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-67-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-65-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-61-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-57-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-55-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-0-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4388-49-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-47-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-45-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-41-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-39-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-37-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-29-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-27-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-43-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-23-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-19-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-17-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-15-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-13-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-33-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-1991-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4388-35-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-31-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-21-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-12-0x00000000072A0000-0x000000000735F000-memory.dmp

Filesize
764KB

Download
memory/4388-11-0x00000000072A0000-0x0000000007364000-memory.dmp

Filesize
784KB

Download
memory/4388-10-0x0000000007470000-0x000000000748E000-memory.dmp

Filesize
120KB

Download
memory/4388-9-0x0000000007550000-0x00000000075FA000-memory.dmp

Filesize
680KB

Download
memory/4388-8-0x00000000074D0000-0x0000000007546000-memory.dmp

Filesize
472KB

Download
memory/4388-7-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4388-6-0x0000000074800000-0x0000000074FB0000-memory.dmp

Filesize
7.7MB

Download
memory/4388-5-0x0000000005C20000-0x0000000005C2A000-memory.dmp

Filesize
40KB

Download
memory/4388-4-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/4388-3-0x0000000005B20000-0x0000000005BB2000-memory.dmp

Filesize
584KB

Download
memory/4388-2-0x00000000060D0000-0x0000000006674000-memory.dmp

Filesize
5.6MB

Download
memory/4388-1-0x0000000000FD0000-0x0000000001086000-memory.dmp

Filesize
728KB

Download